260 likes | 379 Views
Country/Cluster GRA Team Leadership Engagement Template Embedding & Transition Planning. August 10, 2006 London. Outline. Prepare for Management Assessment by clarifying: Management, Auditor and GRA roles and responsibilities Requirements and processes for sign-off on controls
E N D
Country/Cluster GRA TeamLeadership Engagement TemplateEmbedding & Transition Planning August 10, 2006 London
Outline • Prepare for Management Assessment by clarifying: • Management, Auditor and GRA roles and responsibilities • Requirements and processes for sign-off on controls • Review status of SOX404 program • Define AoO Embedding & Transition Stage Gates • Discuss AoO Embedding & Transition Timeline & Resources: • The OP Change Control Process • SOX Center of Excellence • Training
What is the SOX 404 Program? • The Sarbanes Oxley Act (Sect 404) requires that a process exists in the company to: • Provide reasonable assurance regarding the reliability of financial reporting • Prepare financial statements for external purposes in accordance with SEC regulations • SOX 404 requires that documented policies and procedures exist in the company which: • Pertain to the maintenance of records • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets
Business vs. Process Accountability • Group management accountability is structured largely around global lines of business that cut across processes and legal entity structures. • Financial accounting and reporting processes that must be attested to for SOX are built around Areas of Operation (AoO) that more closely follow legal entity structure. • For OP in the US, there are five AoOs (SOPUS, Deer Park, Lubricants, FIFO, Manila) and Motiva.
Responsibilities of Managers and Auditors • SOX requires management to: • Accept responsibility for the effectiveness of the company’s internal control over financial reporting • Evaluate the effectiveness of internal control over financial reporting, using suitable control criteria • Support the evaluation with sufficient documented evidence • Present a written assessment about the effectiveness of the company’s internal control as of the end of the most recent fiscal year • SOX requires the auditor to: • Understand and evaluate management’s process for assessing the effectiveness of the company’s internal control over financial reporting • Plan and conduct an audit of the company’s internal controls • Based on this audit, attest to management’s written assessment about the effectiveness of the company’s internal control
RDS Methodology – 2006 Sign-Off Timeline Q1 Sign-offMay 24th Design effectiveness Q2 Sign-offAug 26th Design effectiveness &Operating effectiveness Q3 Sign-offOct 25th Design effectiveness &Operating effectiveness 2006 - Annual Sign-offFeb ‘07 Design effectiveness &Operating effectiveness After Sept 30 After Dec 31 After June 30 After March 31
SOX 404 Sign-Off – What You Should Know Specific to CKH process and/or Your AoO(s) Senior business and finance leaders accountable for documenting, designing, operating and testing internal controls over financial reporting Senior business and finance leaders required to sign-off annually on the effectiveness of key SOX 404 controls Quarterly sign-off process designed to support annual sign-offs. First quarter scheduled for May 24th – May 26th Senior business and finance leaders will sign-off in GreeenLight on May 25th 2006. Meeting notice for May 25th sign-off will be sent by Project Office May 25th sign-off will be preceded by a Non-GreenLight Assurance Process (hard copy sign-offs by control owners and senior finance manager in each business/support function) Letter outlining process and requirements to be sent on April 10th
Quarter 4 2006 Sign-Off Timeline Specific to CKH process and/or Your AoO(s)
2006 Sign-Off Process Flow Diagram Specific to CKH process and/or Your AoO(s) Quarterly & Annual Sign-off required in GreenLight by Business Entity Signatories. Hard copy of signature required for Annual Sign-off. CoB Senior Finance Manager, CoS Department Lead and Control Owner Sign-off are available as supporting documentation.
Q4 Sign-Off Process - What You Should Check Specific to Your AoO(s) In the fourth quarter, you must ensure that: XXX…..Any changes to the 2005 documentation are reflected in the 2006 documentation and in GreenLight Any new or changed controls from the prior annual assessment have been tested, documented, judged to be design effective and reported in GreenLight All design effectiveness control deficiencies are recorded in GreenLight as “not effective” Remediation plans exist for all “not effective” controls and are summarized in GreenLight All controls assessed as design effective should be supported by a previous walkthrough test and confirmed as remaining valid as part of an annual review of any changes to controls through the RESM/FARM process You can rely on the SOX cycle and the SOX team that controls have been documented, independently tested by management’s testing team, and audited by IAF and with PwC. The outcomes of these reviews are loaded in GreenLight
2006 Compliant by Year-End Specific to Your AoO(s) Controls must be Design Effective and Operational Effective Design Effective (Documented) • Documentation Complete – Narrative, Flow Charts, Actual Control Descriptions • Walkthrough test with sample of 1 • Not Effective if failures are remediated but not enough time to re-test (burn in time) Operational Effective (In place and functioning) • Independent test of statistical sample of 25 (23 passes to be effective) • Any remediation needed to be effective must take place by year-end • Not-Effective if failures are remediated but not enough time to re-test (burn in time)
2006 Control Status Overview Insert the latest CKH slide on status of controls and any observations
Your AoO – Current SOX Effectiveness Need data for the AoO of interest
Delivery, Transition & Embedding Stage Gates Work effort depends on deliverable quality from the SOX team… CoB/CoS Organization Project Team Sustaining Project Delivery Project Delivery Transition Management • Requirements: • Coded-Accessible Repository • Recognition that every control register differs in size, scope and complexity • Match roles & solutions to each unique CoB/CoS • Requirements: • High quality products from team • Stable Methodology • Defined Deliverables • Realistic Project Stage Gates • Improved Project Discipline • Requirements: • Repeatable evidence • Clear management assessment process • Updates to existing registers • Knowledge of SOX assessment process for new “Trigger” items • Understand 302 & 404 reporting Embedding: Training/Communications/Change Management
Factors in my AoO Affecting 2007-2008 Timeline • Senior staff moves • Size, composition and dates for Project Team • Major system upgrades or changes: • Streamline • GSAP • Other? • Key operational activities affecting availability of resources: • T&R • Refinery Projects • Re-Organization
Open Discussion – GSAP/Streamline Whiteboard Exercise
SOX 404Embedding & Transition Timeline & Resources
CoB/CoS must: Generate, Maintain & Control Evidence Guiding Principle: CoB/CoS User Work Effort CoB/CoS user embedding level of effort varies with time… Understanding the project team existing body of knowledge • New process • Reorganization • New control interpretations • Portfolio rationalization • Offshore/outsourcing • New IT applications • Upgrade of IT apps User Level of Effort • Updates & revisions to existing controls First Qtr 2007 Evergreen “Periodic Reviews Continuous Improvement” As needed - defined by SOX “Triggers”
Process Owners Client Services Data Center Operations IT Infrastructure Manager Communications Database Technologies Server Technologies Client Services Client Services Server Technologies Data Center Operations Data Center Operations Server Technologies Database Technologies Communications Database Technologies Communications Gary Ramsey Mary Stuesser Jackey Gale 6 staff 7 staff 7 staff Pat Wray Cheryl Archie 5 staff Euan Sanguinetti Euan Sanguinetti Keith Milsap Clint Tate Rusty Rushton Kayoor Gajarawala Kevin Haden Cheryl Cowden 5 staff Overall Sign off Review & Sign off Generate Evidence Document & Test Guiding Principle: Hidden Population Summary One register, one department, one location requires 42 people to be trained. Converting roles to names… Control Owners Control Executors Desk Level Lubricants Infrastructure
SOX 404Embedding & Transition Proposed Next Steps
Next Steps in Your AoO • Future participation in your staff meetings to engage other leadership to: - Present Embedding & Transition Plans • - Understand future business challenges affecting SOX workload • Nominate key point-of-contact for your AoO ( Focal Point or other Transition Liaison to work with GRA • Expect work effort of this role to be full time starting with XXX • Identification of SMEs also needed to assist with Training • Plan for walk-through of project documentation with SOX Project Team Leader • Prepare to deploy resources to assist Embedding Transition Team in tailoring transition plan and delivery model for your Business